Monday, 10 May 2010

When Installed this malware drops a dll in the system folder (C:\windows\system32\msls52.dll). Dll is pretty much packed with the same packer and the entry point of the dll looks similar to the dropper.Very Interesting thing about this malware is that it infects windows Uxtheme.dll(system folder) and renames the clean copy as Uxtheme(random char).tmp.Infected Uxtheme.dll locks the file msls52.dll, when you try to delete it you get an "access denied" message. Use Kaspersky free removal tool to get rid of the dll on reboot. Since you've deleted the file msls52.dll the infected Uxtheme.dll tries to load it at the startup and gives the message "Unable to load msls52.dll" and makes your machine virtually unusable. To make it work again restart your machine with Windows Safe Mode with command prompt (press f8 on startup to safe mode menu). Once you are in safemode delete/rename the Uxtheme.dll and rename the Uxtheme(randomchar).tmp file as Uxtheme.dll. This should make your machine usable after reboot :-).Btw the infected Uxtheme.dll is detected as W32/Patched by some vendors

Continuing the analysis from the previous part if you follow the calls and jumps there are couple of interesting instructions.

Hmmm..Ecx is now 7FFE02F8 and its trying to move the contents at the ecx value back into ecx register.
So what is this 7FFE02F8 any way. 7FFE0000 is KUSER_SHARED_DATA , this address is a region of the memory mapped in every process and is called as SharedUserData.7FFE000 + 2F8 refers to TestRetInstruction .In this malware i think its mainly used for antidebugging or anti emulation purposes.
If you continue analyzing the sample on the Ollydbg , Olly gets struck at one point unable to debug any further. You need to smartly change the control flow at this point and analyze further.
I didn't have much time to unpack this malware, as the packer in the malware uses VirtualProtect api , i'm sure you should be able find the unpacking routine around this area.
Hope this analysis helps you fight the bad forces.

If you look at the entrypoint it clearly looks like its packed with a polymorphic packer. All the 'inc eax instructions are junk either to stop antivirus detection or to make Emulation more confusing. If you follow the Jmp at the last line leads series of spaghetti ( uneven jmp or call instructions) jumps.

Saturday, 1 May 2010

Microsoft have acknowledged the existence of XSS vulnerability in Sharepoint services and Sharepoint server.Successful exploitation of the vulnerability could allow attacker to run custom code leading to elevated privileges within the Sharepoint site.

According to this technet blog the likely attack scenario could be when attacker sends a malicious link and user clicks the link after logging into the vulnerable Sharepoint server, this results in malicious script running in the user context. In simple words if you are user(assume Admin user) logged in to a vulnerable Sharepoint server and if you click a malicious link embedded within a malicious script, it could run with the admin privileges.